Tuesday, May 8, 2007

Impersonation hand-in-hand with Authentication

Before we begin, let’s go thru the raw definition of ‘Impersonation’.


What is Impersonation:

Sometimes users' requests is required to run in the security context of some other user identity. This is where Impersonation comes in picture.


Impersonation is a process in which a user accesses the resources by using the identity of another user’.


An example of impersonation is the use of the IUSR_<Machine Name> account e.g ‘IUSR_PS4738’ . This account is automatically created by IIS.

Whenever a Web site has anonymous access enabled, then IIS runs all the users' requests using the identity of the IUSR_<Machine Name> account.



In ASP: -Impersonation is enabled by default.

i.e. When you request pages with Classic ASP, the page executed with the permissions of the user making the request.

In other words, in Classic ASP, each request impersonates a user account.

For example,

·         If you request a page while logged in under the Administrator user account, the requested Active Server Page executed with the permissions of the Administrator account.

·         If you requested an Active Server Page anonymously, the Active Server Page executed under the IUSER_MachineName account.



                In ASP.Net: -Impersonation is disabled by default.

                i.e When you request pages with ASP.Net, the page is executed with the permissions of the ASPNET account.

                The ASPNET account automatically gets added to your server when you installed the .NET Framework on IIS 5.0.


                For reference: In case of IIS 6.0, ‘NETWORK SERVICE’ accounts works instead of regular ‘ASPNET’ account.

                There is lot more attached to it. I’ll come up with them in my next post very soon.


                                Lets understand the Impersonation in three different cases.



Default “No Impersonation”

·         Impersonation is disabled by default.

·         However, you can explicitly specify that ASP.NET should not use impersonation by including the following code in the file Web.config


<identity impersonate=”false”/>


·         As mentioned above, in case of disabled impersonation, request runs under the privileges of ASPNET account.

·         However you can change this by making a setting in the processModel section of the machine.config file.

·         For e.g To use a high-privileged system account instead of a low-privileged, set the username attribute of the processModel element to SYSTEM.

·         When so configured, the ASP.NET worker process will have the right to access nearly all resources on the local server. In Windows 2000, Windows XP, and Windows Server 2003 family systems, the System account also has network credentials and can access network resources as the machine account.


·         In case of Anonymous user also the request will be handled using ASPNET/SYSTEM account. Reason being,  In case of disabled impersonation IUSER_MachineName account will not take effect.


<identity impersonate =”true”/>


·         This setting is required to be configured  in Web.config.


<identity impersonate=”true”/>


·         Once enabled below happens in case of Authenticated & Anonymous users

·         If Authenticated access: ASP.NET will handle the request using the credentials of the authenticated user making the request. There is a drawback attached to it as below.

·         If Anonymous access in IIS: The request will be handled using  IUSER_MachineName account.


Drawback: If case of authenticated access, if the used credentials have high-privileges access, then it may create trouble. So to overcome this, ideally impersonation must be enabled with limited privileges. This is covered below.


<identity impersonate=”true” username=”DOMAIN\username” password=”password”/ >


·         This setting is required to be configured  in Web.config.


                <identity impersonate=”true” username=”DOMAIN\username” password=”password”/ >


·         Once enabled below happens in case of Authenticated & Anonymous users

·         If Authenticated access: ASP.NET will take on the credentials mentioned as above in Web.config instead of the credentials used to login to the system. Hence safe access.

·         If Anonymous access in IIS: The request will be handled using  IUSER_MachineName account.








Please follow the attached figure, explaining impersonation hand-in-hand with authentication flow.


In case of any doubts, do let me know.



Thanks & Regards,

Arun Manglick

SMTS || Microsoft Technology Practice || Bridgestone - Tyre Link || Persistent Systems || 3023-6258


DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails.

No comments:

Post a Comment